With a little side of applesauce...

Thursday, February 1, 2007

BosDev BosDates v3.3 vulnerability

BosDev BosDates v3.3 vulnerability:

We found a vulnerability in email.php and email_friend.php, which allows it to be used for dumping SPAM. Here is an excerpt for our apache log:


200.118.2.220 - - [01/Apr/2006:19:35:36 -0600] "POST /calendar/email.php%7cr_email%7ccalendar%7cevent%7cr_name%7cmessage%7caction HTTP/1.1" 404 261 "http://www.dentonbible.org/" "-"
200.118.2.220 - - [01/Apr/2006:19:35:36 -0600] "POST /calendar/email.php%7cr_email%7ccalendar%7cevent%7cr_name%7cmessage%7caction HTTP/1.1" 404 261 "http://www.dentonbible.org/" "-"
62.14.103.6 - - [01/Apr/2006:19:37:05 -0600] "POST /calendar/email.php%7Cr_email%7Ccalendar%7Cevent%7Cr_name%7Cmessage%7Caction HTTP/1.1" 404 261 "http://www.dentonbible.org/" "-"210.14.4.82 - - [01/Apr/2006:19:37:36 -0600] "POST /calendar/email.php|r_email|calendar|event|r_name|message|action HTTP/1.1" 404 261 "http://www.dentonbible.org/" "-"
210.14.4.82 - - [01/Apr/2006:19:37:38 -0600] "POST /calendar/email.php|r_email|calendar|event|r_name|message|action HTTP/1.1" 404 261 "http://www.dentonbible.org/" "-"
194.68.63.142 - - [01/Apr/2006:19:38:20 -0600] "POST /calendar/email.php|r_email|calendar|event|r_name|message|action HTTP/1.1" 404 261 "http://www.dentonbible.org/" "-"
194.68.63.142 - - [01/Apr/2006:19:38:20 -0600] "POST /calendar/email.php|r_email|calendar|event|r_name|message|action HTTP/1.1" 404 261 "http://www.dentonbible.org/" "-"
203.177.102.214 - - [01/Apr/2006:19:39:25 -0600] "POST /calendar/email.php|r_email|calendar|event|r_name|message|action HTTP/1.0" 404 261 "http://www.dentonbible.org/" "-"

We were then getting mail delivery errors with email addresses listed in the following format:

<jlyoungun@test.com>
<toadd53@test.com>
<sweetthing69934@test.com>
<thuglife3c@test.com><bsweet8@test.com>
<clrbmnt@test.com>
<outwestatl@test.com>
<sub4hubby@test.com>
<ricopuerto26@test.com>
<star41480@test.com>

Apparently, when you include the angle brackets (<>), (or was it the newline character that the js was missing?), with the email addresses, it was bypassing the javascript, which looked like this:


if (form.r_email.value != "") {
var email=form.r_email.value;
var check_space = email.indexOf(' ');
var check_ast = email.indexOf('@');
var check_dot = email.indexOf('.');
if ((check_space != -1) || (check_ast == -1) || (check_dot == -1)) {
alert ('<?php echo $Languages['email']['error4']; ?>');
form.r_email.focus();
return false;
}
}

Anyways, I modified the js to check for angle brackets, and then, (just in case people were using a local copy and modifying the js), added PHP to check for two instances of “@” in the form. If more than one “@” is found in the form, it throws and error and dies. Here are the diffs for both files:


--- /usr/local/src/email.php 2005-01-25 13:06:22.000000000 -0600
+++ email.php 2006-04-01 23:23:45.000000000 -0600
@@ -84,7 +84,8 @@
var check_space = email.indexOf(' ');
var check_ast = email.indexOf('@');
var check_dot = email.indexOf('.');
- if ((check_space != -1) || (check_ast == -1) || (check_dot == -1)) {
+ var check_angle = email.indexOf('<');
+ if ((check_space != -1) || (check_ast == -1) || (check_dot == -1) || (check_angle != -1)) {
alert ('<?php echo $Languages['email']['error4']; ?>');
form.r_email.focus();
return false;
@@ -99,27 +100,40 @@



<?php
-
if(isset($action)) {
$event = intval(protect($event));
$result = query("SELECT contact_email,event_title FROM {$calendar_prefix}events WHERE event_id=$event",$cal_link);
list($contact_email,$event_title) = mysql_fetch_row($result);
$event_title = stripslashes($event_title);
$subject = "Email regarding ".$event_title;
- $from = "From: $r_email\r\n";
- htmlMail($from,$contact_email,$subject,$message);
- echo "
<table width=\"500\" border=\"0\" cellspacing=\"1\" cellpadding=\"3\" class=\"calendar_background\">
<tr>
<td align=\"center\" class=\"calendar_cell\"><span class=\"calendar_menu_text\">{$Languages['email']['confirm']}</span></td>
</tr>
<tr>
<td class=\"calendar_cell\" align=\"center\"><a class=\"event_link\" xhref=\"event.php?event=$event\">{$Languages['email']['confirm']}</a></td>
</tr>
</table>
";
- include("footer.php");
- die();
+ $explode_emailaddr = explode("@", $r_email);
+ $count_explode_emailaddr = count($explode_emailaddr);
+ if ( $count_explode_emailaddr == 2 ) {
+ $from = "From: $r_email\r\n";
+ htmlMail($from,$contact_email,$subject,$message);
+ echo "
<table width=\"500\" border=\"0\" cellspacing=\"1\" cellpadding=\"3\" class=\"calendar_background\">
<tr>
<td align=\"center\" class=\"calendar_cell\"><span class=\"calendar_menu_text\">{$Languages['email']['confirm']}</span></td>
</tr>
<tr>
<td class=\"calendar_cell\" align=\"center\"><a class=\"event_link\" xhref=\"event.php?event=$event\">{$Languages['email']['confirm']}</a></td>
</tr>
</table>
";
+ include("footer.php");
+ die();
+ } else {
+ echo "
<table width=\"500\" border=\"0\" cellspacing=\"1\" cellpadding=\"3\" class=\"calendar_background\">
<tr>
<td align=\"center\" class=\"calendar_cell\"><span class=\"calendar_menu_text\">We are sorry, but only one email address may be used at a time.</span></td>
</tr>
<tr>
<td class=\"calendar_cell\" align=\"center\"><a class=\"event_link\" xhref=\"email.php\">We are sorry, but only one email address may be used at a time.</a></td>
</tr>
</table>
";
+ include("footer.php");
+ die();
}
-
+}
?>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align=\"center\" class=\"calendar_cell\"><span class=\"calendar_menu_text\">We are sorry, but only one email address may be used at a time.</span></td>
</tr>
<tr>
<td class=\"calendar_cell\" align=\"center\"><a class=\"event_link\" xhref=\"email_friend.php\">We are sorry, but only one email address may be used at a time.</a></td>
</tr>
</table>
";
+ include("footer.php");
+ die();
}
+ }

?>

This same problem effects email_signup.php, but the spammer can “only” dump email addresses into the database. (Hence wreaking worse havoc, as BosDates sends out notifications to everyone…). Must sleep though…

3 comments:

speeves said...

Just a note on the log entries above:

The 404 was after I removed the files. I just wanted to show that random “zombies” were looking for those pages on our site.

speeves said...

BosDev responded to us very quickly, and had patched files up on their server by monday.

Kudos, BosDev Team!!

speeves said...

ummmm…. The BosDev team released email_friend.php and email_signup.php, but not email.php… I have contacted them, but their response was that email.php was not vulnerable to this exploit, as it grabbed the “To:” header from the event…. I don’t have time to explore this further, but we are not updating our version of email.php until that fix is in place. (Our version is patched already with the patch above).

BTW, this is what the email addresses looked like: